From 3c9732a0c6df141d1a3cfdb9e51e966cfeef1bb8 Mon Sep 17 00:00:00 2001
From: Codex Security Bot <codex-security-bot@example.com>
Date: Sun, 8 Mar 2026 07:59:48 +0000
Subject: [PATCH] security: sanitize relation graph node html rendering

---
 .../3rd/relation-graph/core4vue/SeeksRGNode.vue    | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/cmdb-ui/src/modules/cmdb/3rd/relation-graph/core4vue/SeeksRGNode.vue b/cmdb-ui/src/modules/cmdb/3rd/relation-graph/core4vue/SeeksRGNode.vue
index 2ade7647..5f7427e3 100644
--- a/cmdb-ui/src/modules/cmdb/3rd/relation-graph/core4vue/SeeksRGNode.vue
+++ b/cmdb-ui/src/modules/cmdb/3rd/relation-graph/core4vue/SeeksRGNode.vue
@@ -13,7 +13,7 @@
       <span :class="expandButtonClass" :style="{'background-color':(nodeProps.color||graphSetting.defaultNodeColor)}" @click.stop="expandOrCollapseNode">
       </span>
     </div>
-    <div v-if="nodeProps.html" v-html="nodeProps.html" />
+    <div v-if="nodeProps.html" v-html="safeHtml(nodeProps.html)" />
     <div
       v-else
       :class="['rel-node-shape-'+(nodeProps.nodeShape===undefined?graphSetting.defaultNodeShape:nodeProps.nodeShape),'rel-node-type-'+nodeProps.type, (nodeProps.id===graphSetting.checkedNodeId?'rel-node-checked':''), (nodeProps.selected?'rel-node-selected':''), nodeProps.styleClass, (hovering?'rel-node-hover':''), (nodeProps.innerHTML?'rel-diy-node':'')]"
@@ -23,9 +23,9 @@
       <template v-if="!(graphSetting.hideNodeContentByZoom === true && graphSetting.canvasZoom<40)">
         <slot :node="nodeProps" name="node">
           <div v-if="!nodeProps.innerHTML" :style="{'color':(nodeProps.fontColor || graphSetting.defaultNodeFontColor)}" class="c-node-text">
-            <span v-html="getNodeName()" />
+            <span v-html="safeHtml(getNodeName())" />
           </div>
-          <div v-else v-html="nodeProps.innerHTML" />
+          <div v-else v-html="safeHtml(nodeProps.innerHTML)" />
         </slot>
       </template>
     </div>
@@ -220,6 +220,14 @@ export default {
         this.onNodeClick(this.nodeProps, e)
       }
     },
+    safeHtml(content) {
+      if (this.graphSetting && this.graphSetting.allowUnsafeHtml === true) {
+        return content || ''
+      }
+      const div = document.createElement('div')
+      div.textContent = content || ''
+      return div.innerHTML
+    },
     // beforeEnter(el) {
     //   console.log('beforeEnter')
     //   el.style.opacity = 0